Hi, @minton55.
See below for an example that works for me.
@hdezcarlos, as @minton55 mentioned, the REST API is going to be deprecated. If there’s anything that you can’t do with the GraphQL API, please create an issue in gitlab-org/gitlab
and tag me (@thiagocsf
).
{
project(fullPath: "gitlab-examples/security/security-reports") {
id
name
vulnerabilities(severity: MEDIUM, reportType:CONTAINER_SCANNING) {
nodes{
id
reportType
title
severity
detectedAt
updatedAt
vulnerabilityPath
description
falsePositive
state
hasSolutions
scanner {
reportType
externalId
name
vendor
}
identifiers {
externalId
externalType
name
url
}
project {
id
name
fullPath
}
links {
name
url
}
location {
... on
VulnerabilityLocationSecretDetection{
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
... on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
... on
VulnerabilityLocationDependencyScanning{
file
dependency{
package{
name
}
version
}
blobPath
}
}
details {
... on
VulnerabilityDetailCode {
description
fieldName
lang
name
value
}
}
}
}
}
}
And the response
{
"data": {
"project": {
"id": "gid://gitlab/Project/6102100",
"name": "security-reports",
"vulnerabilities": {
"nodes": [
{
"id": "gid://gitlab/Vulnerability/46961567",
"reportType": "CONTAINER_SCANNING",
"title": "CVE-2022-22576 in curl-7.79.1-1.amzn2.0.1",
"severity": "MEDIUM",
"detectedAt": "2022-06-13T20:54:25Z",
"updatedAt": "2023-04-27T05:09:37Z",
"vulnerabilityPath": "/gitlab-examples/security/security-reports/-/security/vulnerabilities/46961567",
"description": "A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor.",
"falsePositive": false,
"state": "DETECTED",
"hasSolutions": true,
"scanner": {
"reportType": "CONTAINER_SCANNING",
"externalId": "trivy",
"name": "Trivy",
"vendor": "GitLab"
},
"identifiers": [
{
"externalId": "CVE-2022-22576",
"externalType": "cve",
"name": "CVE-2022-22576",
"url": "https://access.redhat.com/security/cve/CVE-2022-22576"
}
],
"project": {
"id": "gid://gitlab/Project/6102100",
"name": "security-reports",
"fullPath": "gitlab-examples/security/security-reports"
},
"links": [
{
"name": null,
"url": "https://access.redhat.com/security/cve/CVE-2022-22576"
},
{
"name": null,
"url": "https://curl.se/docs/CVE-2022-22576.html"
},
{
"name": null,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576"
},
{
"name": null,
"url": "https://ubuntu.com/security/notices/USN-5397-1"
}
],
"location": {},
"details": []
},
{
"id": "gid://gitlab/Vulnerability/26233",
"reportType": "CONTAINER_SCANNING",
"title": "CVE-2016-10228 in glibc",
"severity": "MEDIUM",
"detectedAt": "2020-01-17T04:05:42Z",
"updatedAt": "2020-01-17T04:05:42Z",
"vulnerabilityPath": "/gitlab-examples/security/security-reports/-/security/vulnerabilities/26233",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"falsePositive": false,
"state": "DETECTED",
"hasSolutions": null,
"scanner": {
"reportType": "CONTAINER_SCANNING",
"externalId": "clair",
"name": "Clair",
"vendor": "GitLab"
},
"identifiers": [
{
"externalId": "CVE-2016-10228",
"externalType": "cve",
"name": "CVE-2016-10228",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228"
}
],
"project": {
"id": "gid://gitlab/Project/6102100",
"name": "security-reports",
"fullPath": "gitlab-examples/security/security-reports"
},
"links": [
{
"name": null,
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
],
"location": {},
"details": []
}
]
}
}
}
}